Ten things to read about today’s data retention decision

I am a fair-weather blogger, and so I cannot remember the last time I had so many visits or retweets in a day.  Piggybacking on the unexpected traffic boost, here are ten things worth reading (from various sources) about the reason for that traffic – the finding by the Court of Justice of the EU that the Data Retention Directive is, on human rights grounds, invalid.  (My own post, Data retention parrot, is here).

I had plenty to choose from in putting this list together – fortunate that the decision was published when many of us legal academics are not teaching?

  1. The decision of the Court.  The early pages are taken up with reproducing the provisions of the legislation, so if you are familiar with the Directive, those pages are most skippable.
  2. Fiona de Londras, professor at Durham Law School, writing at Human Rights in Ireland. Special mention: discussion on whether “a more tailored, narrower approach” might survive scrutiny if the Directive is to be replaced (see also her lessons for the US, posted at The Conversation).
  3. “Cybermatron”, an expert in this field, writing on her blog. Special mention: highlighting weaknesses in the decision, including where the Court may have underappreciated the significance of the legislation and of this challenge.
  4. Steve Peers, professor at the University of Essex Law School, writing on his blog EU Law Analysis. Special mention: analysis of the current status of the (invalid) Directive, and options for states and the EU from this point on.
  5. Paul Bernal, lecturer at the UEA Law School, writing on his blog. Special mention: how the decision sits within the wider debate on and advocacy for privacy.
  6. Karlin Lillington, journalist, writing in the Irish Times. Special mention: the consequences for Ireland and the EU, by someone who has been instrumental in highlighting data retention practices for over a decade.
  7. Luke Scanlon, solicitor, Pinsent Masons, writing on Out-law. Special mention: impact on other legislation, including data protection present and future.
  8. Glyn Moody, author and journalist, writing for ComputerWorld UK. Special mention: explanation, point by point, of how the court’s decision relates to specific data retention practices.
  9. Gabriele Steinhauser, journalist, writing in the Wall Street Journal. Special mention: how the decision is being reported to an international audience, including the political dimension.
  10. Press release and FAQ on the decision from the European Commission (the ‘losing’ side, not that you would know that from the statement). Special mention: reading it with a straight face.

Apologies to those omitted – additional links welcome, through the comments sections below.

Advertisements

The data retention parrot

One of the most-read posts on this site is a 2009 set of ten questions about data retention legislation in Ireland. It was written with a mixture of anger and detail. Today’s post contains neither. Instead, it’s relieved – but hurried.

This morning, the Court of Justice of the European Union (CJEU) ruled in a set of cases regarding the validity, from a human rights point of view, of the Data Retention Directive (which provides for the retention by service providers of phone and Internet communications data across the EU for set periods, for the purpose of subsequent access by public authorities). Here’s the decision as posted on Scribd; official link to follow. Cases C-293/12 and C-594/12.

The Advocate General had already given his Opinion in late 2013, which was in some respects very critical of the Directive, but his recommendations were also a bit limited.  Of the cases that the CJEU heard, the one I know best (unsurprisingly) is the challenge made in Ireland by Digital Rights Ireland (High Court decision of 2010). This, and other cases starting in Austria, were sent to the EU court for a ruling on points of EU law.

Here are my first-look highlights from today’s decision.

1. The Directive raises serious issues of compatibility with the fundamental rights protected under EU law (privacy and data protection) – and it is not proportionate, and therefore invalid. This was clearly flagged by the Advocate General and will be the big headline today, rightly.  I’m just going to add some more observations, but the big result shouldn’t be ignored!

2. On the other hand, the proposal of the Advocate General (that the effect of declaring it invalid be suspended to allow better legislation to be introduced; paras 154-158 of his Opinion) has been entirely ignored in the decision, and only alluded to in a footnote in the accompanying press release. If I’m reading it right, this idea has simply disappeared.  The Directive is dead and, legally speaking, should never have existed.

3. There are important warning signs to the European bodies for the (inevitable) attempt to draft a replacement. Because of the nature of the rights and the infringements, discretion of the legislative bodies “is reduced, with the result that review of that discretion should be strict” (paras 47-8). Shroud-waving should also be avoided; “the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify” a retention measure such as this one (para 51). There are a range of specific criticisms outlined from para 58 onwards that would surely be relevant, e.g. application to the whole population, temporal or geographic restrictions, lack of a definition of serious crime, inadequate limits on access/use, a retention period plucked out of the air. Export outside the EU (topical!) is also highlighted at para 68.

4. Although it wasn’t necessary to rely on it to reach today’s result (see paras 69-70) , the CJEU makes some very important comments about the relationship between surveillance and speech:

In such circumstances, even though, as is apparent from Article 1(2) and Article 5(2) of Directive 2006/24, the directive does not permit the retention of the content of the communication or of information consulted using an electronic communications network, it is not inconceivable that the retention of the data in question might have an effect on the use, by subscribers or registered users, of the means of communication covered by that directive and, consequently, on their exercise of the freedom of expression guaranteed by Article 11 of the Charter. (para 28)

(Bonus points for channelling Vizzini)

5. The Court makes significant use of the ECtHR’s decision in S & Marper v UK (about DNA databases) – three separate references, all ‘by analogy’ regarding article 8 ECHR. The significance of S was clear at the time and today’s opinion demonstrates how it valuable it is in terms of analysing questions of law and technology – especially chilling and cumulative effects.  It’s also further evidence of the way that the CJEU builds on ECtHR rulings.

6. The Court endorses the Advocate General’s point about perception. It’s not a point unknown to those in the field (especially through the jurisprudence of the German courts and others), but it’s still not fully grasped in the UK and Ireland; data retention of this nature is “likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” (para 37). (Which, for the record, is a bad thing).

Those are some first thoughts, and are really an extension of even earlier thoughts posted on Twitter. More later if I can!

When Irish eyes are watching

Last year, I was invited to give a ‘response’ to two very interesting papers at a seminar of the British Association for Comparative Law. The papers, by Paula Giliker and Elspeth Christie Reid, were on the evolution of breach of confidence and privacy, primarily in relation to England and Scotland. (Eric Clive wrote up his notes from the day here).

The papers, including a developed version of my comparative comments, are now being published in Juridical Review. A slightly earlier version of my contribution is available on SSRN through the University of Edinburgh School of Law Working Paper Series (here’s the series, and while there why not also download my colleague Judith’s latest paper on big data and small government…).

My article is a short one, and the main thing I hope it does is remind some UK-based readers of the interesting things that have happened in Ireland in relation to the privacy cause of action. I do spent a good deal of space talking about Sullivan v Boylan [2013] IEHC 104, which is a particularly useful contribution to the English and Scottish debates on how to handle the evolving questions of privacy and confidence. I also talk a bit about New Zealand.

Beyond breach of confidence: an Irish eye on English and Scottish privacy law

This article is based on comparative comments (with special attention paid to Irish law) presented at a seminar on breach of confidence and privacy. It is first argued that a continuing uncertainty regarding the role of statute in relation to privacy is common to the development of doctrines in both England and Scotland, with similar anxieties present in other jurisdictions. In the absence of statutory clarity, the questions arising out of debate on the nature of the cause of action, and the consequences of variation in definitions of “privacy”, are considered – with special attention to developments in Ireland and New Zealand. The relationship between the evolution of breach of confidence and the human rights framework is also noted. Finally, the prospects for law reform and/or convergence across jurisdictions in the United Kingdom are assessed.

(Sorry if you expected this post would be about this; words fail me on that subject, I’m afraid).

FISA, NSA and PRISM: behind the headlines

My Edinburgh colleague Judith Rauhofer (who has a particular research and teaching interest in privacy, data protection, and information), along with Caspar Bowden (who many readers will know through his writing and advocacy on privacy), has just launched a very timely paper on data protection in ‘the cloud’, with a particular emphasis on data stored in the US and subject to US law on access to data. Judith and Caspar have been making this argument well before the current PRISM/NSA reporting, and the paper makes it clear how there are already a number of important legal issues that require attention. The paper engages with recent scholarship on cloud computing itself (e.g. the Queen Mary projects) and the proposed new Regulation on data protection. It also contains a very detailed analysis of FISA. But the key argument, and the one that deserves the most attention from those who have reacted with alarm to recent news reports, is that about the obligations of European institutions to protect fundamental rights; both the Charter and Convention are discussed.

The paper is now available on SSRN:

Protecting Their Own: Fundamental Rights Implications for EU Data Sovereignty in the Cloud

Recommended reading, 14-20 February 2013

News, blog posts, etc

Lisa Campbell, ‘Is Netflix just a novelty?‘ (Broadcast 14 February 2013). Given my interest in VOD (primarily how it is regulated but to get there requires understanding the market), the last few weeks have provided much to think about.  I can’t decide whether to be impressed at the Netflix coup of launching House of Cards as an all-at-once release or cynical about how its press releases were parroted by some in the press.  I think both.  Anyway, the coverage in Broadcast does look at it from a number of different angles. (Thought I will return to although I’ve probably said it before: if the standard for being covered by EU audiovisual media law includes being ‘TV-like’ subject to interpretation in a ‘dynamic’ way, does this sort of move make a difference?)

Jeremy Phillips, ‘Save our hyperlinks! Paws for reflection as Profs Opine‘ (IPKat 15 February 2013).  Commentary on the intervention of academic group the European Copyright Society (does it have a website? cannot find) in a very important case on hyperlinks, Svensson.  The case is before the Court of Justice of the EU shortly and takes up a question much loved by IT textbooks more or less since they started to exist: is a link one of the acts restricted under copyright law?  If so, then the consent of the author of the target page may be necessary – but the consequences are significant.

Claire Porter, ‘Google ‘flaw’ puts users’ details on display‘ (News.com.au 16 February 2013). Another tricky story about apps and privacy; this one is about the Google Play store.  Worth noting that there is a bit of discussion about the way the story has been reported (and amended) – see e.g. here.  Original link via Slashdot.

David Streitfield, ‘Tech Industry Sets Its Sights on Gambling‘ (New York Times 18 February 2013). Discusses the implications of any change in the law on online gambling in the US for social networks and for the casual gaming sector.  Also mentions the interesting issue of gambling and Diablo.

William Turvill, ‘News agencies’ fear over impact of copyright law proposals‘ (Press Gazette 20 February 2013). It looks like the lobbying against the proposed implementation of the Hargreaves Review is well underway now.  I think there is a fair point to be made about the constitutional problems (the typical, pernicious turn to secondary legislation in place of proper parliamentary scrutiny), although the substantive arguments tend to the alarmist.  For example, I can see why the photographer groups who were critical of orphan works proposals in the past are sceptical about extended collective licensing.  Less obvious to me is why that opposition extends to the long-overdue proposals on parody.  Perhaps there’s just general opposition.  We’ll see.  Given that some of these recommendations are still overdue from Gowers 2006, it would be a shame to get stuck at this stage..

Academic publications

Speaking of parody: Kris Erickson, ‘Evaluating the Impact of Parody on the Exploitation of Copyright Works: An Empirical Study of Music Video Content on YouTube‘ (Bournemouth University for IPO, 2013).  Fascinating attempt to measure the consequences of protecting (or not protecting) parody.  Via Rebecca Tushnet.

And more on copyright: Lee Edwards, Bethany Klein, David Lee, Giles Moss, and Fiona Philip, ‘Framing the consumer: Copyright regulation and the public’ (2013) 19 Convergence 9-24 (£). Multi-disciplinary perspective on attitudes to copyright, with a particular interest in downloading (other articles in the same issue also explore the theme of attitudes and IP)

 

 

Recommended reading, 7-13 February 2013

News, blog posts, etc

European Commission, ‘EU Cybersecurity plan to protect open internet and online freedom and opportunity‘ (press release, 7 February 2013).  Marking the release of a new strategy and proposed Directive (download both of them here) on this topic.  The interesting bit about this is how it’s framed – legally speaking it’s an internal market measure (not crime!); strategically, it follows up on the many comments about ‘trust’ in the Digital Agenda documents of the last couple of years.  While most of the operative provisions of the Directive are about national authorities for infrastructure and cooperation between them, there is an interesting (proposed) obligation for member states to regulate ‘market operators’ in terms of security and also notification of breaches.  (Incidentally, is this category of ‘market operator’ a new one?  It has two sub-categories – information society services ‘which enable the provision of other’ ISSes (examples in an Annex are cloud computing platforms, app stores, search engines, social networks), and operators of certain types of critical infrastructure.  Art 14 doesn’t apply, in essence, to telephone/mobile/broadband providers, because the electronic communications directives already occupy the field.  (It also doesn’t apply to certain players in the much-maligned electronic signatures field – although I read that exclusion as being broader than those entities contemplated in the 1999 Directive).  (The ‘open internet’ etc language of the strategy and press release is slightly overstated, I think).

John Brodkin, ‘Wi-Fi “as free as air”—the totally false story that refuses to die‘ (Ars Technica 8 February 2013). This is most curious. The (interesting and potentially significant) work of the FCC on what to do with UHF ‘white spaces’ – spectrum formerly used or left as a buffer for TV broadcasting but becoming available for other uses – has been of interest in IT law for some years now.  Then seemingly from nowhere, a normal development in the regulatory process became the basis for an article about free wifi.  This is not to say that white spaces and Internet access are unconnected; clearly, it’s one of the reasons that people beyond spectrum gurus talk about it.  (I wrote about it in passing in this 2009 article, in section 5.5).  But the licensing process does not deliver a free service by any means (even if, as is being discussed, the regulatory model would not include a license fee for spectrum use).  Nor has anything particularly interesting happened in recent weeks – as Brodkin’s deconstruction points out, the interesting stuff either happened a few years ago (when the opening up started) or will happen in the future (if new services are launched).

Simon Fodden, ‘Edwin Mellen Press’s Curious Case‘ (Slaw 10 February 2013).  A comment, with plenty of links, on the developing (and worrying) story about the huge defamation claim (the applicant seeks the equivalent of over £2m!) against a librarian (who wrote some quite critical things about a publisher, informed by his knowledge of the field) and his university employer.  I would certainly not have anything to do with this publisher as a result of its actions in this case (whatever about the underlying allegations themselves!).

Alexander Hanff, ‘The murky world of privacy advocacy‘ (10 February 2013). A new blog and a rollicking start, with a detailed analysis of corporate funding for tech-related NGOs. It’s about time. Given the field I’m working in, I’ve seen quite a few of these organisations (and indeed, their close cousins, the consultant reinventing themselves as an NGO/think-tank with no membership, no membership and often nothing to add). I think the post by Hanff demonstrates a very honest attempt to understand the weaknesses of the lobbying system and reminds us all to think about the motives as well as the contents of interventions.

Virtual currency and virtual property revisited‘ (Technollama 11 February 2013). An overview of recent developments on virtual £££ and IP and other things, prompted by a piece in Forbes which mostly about virtual property). See also this nice PBS video on Bitcoin, etc.

Academic articles

Nina Mendelson, ‘Should Mass Comments Count?’ (2012) 2 Michigan Journal of Environmental & Administrative Law 173 (SSRN). This is a response to the author’s earlier work (and a debate about it), but reading the article covers much of what before quite neatly.  The issue is a controversial one – how, when public consultation happens, to deal with different forms of participation (particularly one-click or template methods).

Michael O’Flaherty, ‘Freedom of Expression: Article 19 of the International Covenant on Civil and Political Rights and the Human Rights Committee’s General Comment No 34’ (2012) 12 Human Rights Law Review 627-654 (£, link).  The author of this article was the rapporteur work on this General Comment and discusses the comment as well as some of the cases and stories it relied upon.  Watch out for the interesting discussion of article 19 and emerging technology, too.

E Tarantino, ‘A simple model of vertical search engines foreclosure’ (2013) 37 Telecommunications Policy 1 (£, link).  The new volume of this journal (mix of law, business, economics, etc) starts off with one of the topics of the year, competition law and search engines.

Recommended reading, 24 January – 6 February 2013

Double edition! At the end of January, I was caught up in the excitement of the official launch of CREATe.  I was taking notes on laptop and paper, so more to follow on that soon.

News, blog posts, etc

Eric Goldman, ‘17 USC 512(f) Is Dead–Lenz v. Universal Music‘ (Technology & Marketing Law Blog 25 January 2013). Goldman discusses the latest decision in the Lenz case (the infamous ‘kid dancing to Prince‘ video and how it was taken down at the request of the record label).  He reports on the way in which section 512(f) of the DMCA (misrepresentation in takedown notices) has been read in a narrow fashion by the court and argues that it will have little purpose in the future.  This is interesting (as is his neat point that because a lot of takedowns now happen outside of the DMCA process, it’s already becoming irrelevant) – for me, having argued that the EU should apply its ‘groundless threats’ approach to notice and takedown to come into line with the DMCA, it’s a warning to draft that suggestion more carefully.

Mike Madison, ‘Coulton, Glee, and Copyright‘ (Madisonian 28 January 2013). On a theme of legal and other considerations – this is an article responding to a scandal which I confess had escaped me (involving Glee!), about a legal issue I’m more familiar with ‘covers of covers’.  For the interest of non-US readers – this is a particular feature of US copyright law where a ‘cover version’ can be the subject of a compulsory licence.  (Actually – as discussed in the post – this isn’t always the solution, as there can be negotiation or going through the Harry Fox Agency instead).  However the situation here (the rights of B in its cover version of A’s composition against C’s cover version of A which is derived from B’s) may stretch the effectiveness of that solution (and, as Madison talks about in the second half of his post, suggest questions about the purpose of the law and about the ethics of the situation.

WhatsApp breaches privacy laws‘ (CBC News 28 January 2013). You know I like stories about apps.  This one is about one of the success stories of last year, WhatsApp (instant messaging).  As the CBC story explains, the Privacy Commissioner of Canada (along with equivalent authorities in the Netherlands) has investigated a bunch of issues regarding the service and privacy.  Some were resolved through changes to the operation of the service, but one major continuing breach was noted – the requirement to grant access to full address books in order to use the service.  The full report is here.

Liat Clark, ‘WTO grants Antigua right to launch ‘pirate’ site selling US media‘ (Wired UK 29 January 2013).  This story, widely reported during this period, is about Antigua’s success before the World Trade Organisation (some time ago now – see case file DS285) in its criticism of US violation of world trade law in respect of the regulation of online gambling.  As suggested for a few year now – but now getting more likely as the measure has been approved – it proposes to use the WTO mechanism of trade retaliation, because the US has failed to implement the binding decision of the dispute settlement process.  The US is professing shock and dismay.  However, as a strong proponent of free trade (and indeed the sanctions associated with the WTO process), I’m sure that an understanding can be reached.  Remember: the US took the case to an appeal and lost, and arbitration has also been pursued.

Jason Del Rey, ‘YouTube Set to Introduce Paid Subscriptions This Spring‘ (Advertising Age 29 January 2013). There’s been a flurry of stories in 2013 about how to build a model of charging for video-on-demand; this story explains the proposal to identify selected channels and charge a monthly (and possibly PPV) fee.  Answers on a postcard – will this, if it succeeds, encourage broadcaster-managed non-archive VOD (e.g. the ‘catchup’ bit of 4od, for example) to try and build a charging system – and if so, is it Spotify-style or micropayments per programme?  (I say non-archive VOD because there is a relatively clear mixed economy emerging for archive VOD with various forms of charging and ad support)

Kevin Chao, ‘Mobile Kills the Console But Advances the Gaming Industry‘ (Wired 31 January 2013). Is this finally the year of mobile gaming?  Lovely stats here and a framing of the issue as being about reach, engagement and monetization.  (There is however an ongoing and very significant issue in the UK – and no doubt elsewhere – about monetization and mobile, the role of mobile network operators vs (e.g.) Facebook credits vs other models and the role of PhonePayPlus (regulates premium rate calls and texts which is one of the ways the charge can be set) – see the very perceptive market study for that very organisation.

Bob Tarantino, ‘What the *BLEEP*? Coarse Language in Radio Broadcasts‘ (Entertainment & Media Law Signal 31 January 2013).  Round-up of Canadian broadcast standard decisions on language and radio.  (On that note, I noted subsequently how the New York Times reported the well-deserved Grammy success of Jay-Z & Kanye West as being for ‘___ in Paris’, and the awkward pacing of the bowdlerised broadcast version of the new UK no. 1 single, Thrift Shop; compare the editing on this page (short silencing of the offending part making the result ‘This is ___ing awesome’) with what actually went on air in the chart show (looping, making the result ‘This is aws-aws-awesome’), here at 2h54m)

Josh Halliday, ‘YouTube study shows children ‘three clicks away from explicit material’‘ (Guardian 5 February 2013).  Oh dear.  Apparently if you find a video aimed at children and then click and then click and click again you end up at a less suitable video.  Traumatic I’m sure, but has anyone figured out a way to prevent that without making ‘related videos’ completely unworkable?  Say a video has 20 ‘similar video’ links, then by the third click we are at up to 8000 possible videos – and by click five it’s over three million possibilities.  See also Six Degrees of Separation, etc.

Adrienne Jeffries, ‘Why Amazon wants its own currency‘ (The Verge 5 February 2013). I was reminded about The Verge by a student recently – just in time for this piece on e-money, with a nice approach to the practical as well as legal or technological reasons to adopt a particular model of payment.

Patrick Wintour, ‘Peers pass low-cost arbitration law for victims of press defamation‘ (Guardian 6 February 2013). Somewhat overtaken by events since, but this was a tricky development in the post-Leveson story – specifically, adding in one bit of the recommendations to the Defamation Bill.  Although I’m not convinced by this approach, I still hold to the view that the Defamation Bill needs to be properly linked up with the Leveson settlement.  I appreciate that some people have waited a long time for defamation reform, and that there is work that needs to be done…but its changes will be more legitimate and sustainable if they form part of the new approach to press regulation (particularly as many of the Bill’s changes are specifically defended as pro-press).